// GLOSSARY -- MCP & TOOL INFRASTRUCTURE

What is the Streamable HTTP Transport?

2 min read Updated

Streamable HTTP is the current HTTP transport in the MCP specification: the server exposes a single endpoint that accepts POST and GET requests, returning either plain JSON responses or Server-Sent Events streams, with optional session management via the MCP-Session-Id header.

WHY IT MATTERS

Streamable HTTP was introduced in spec revision 2025-03-26, replacing the deprecated HTTP+SSE transport from revision 2024-11-05. It is how every remote MCP server is reached in the current spec, and the transport that gateways and proxies sit on.

The design centres on a single MCP endpoint (e.g. https://example.com/mcp) supporting both methods:

  • POST — every client JSON-RPC message is a new POST. For requests, the server responds with either Content-Type: application/json (one JSON object) or Content-Type: text/event-stream (an SSE stream that eventually carries the response, possibly preceded by server requests and notifications).
  • GET — the client may open a standalone SSE stream so the server can send messages without a pending request; servers that don't support this return 405.
  • Sessions — the server may assign an MCP-Session-Id header on the initialise response; the client must then echo it on every subsequent request (see MCP session).
  • Resumability — SSE events may carry IDs, letting a client reconnect with Last-Event-ID and have missed messages replayed.

Clients must also send an MCP-Protocol-Version header on requests after initialisation. The spec carries security requirements: servers MUST validate the Origin header to prevent DNS rebinding, should bind to localhost when running locally, and should authenticate all connections.

See streamable http transport working in your own stack — route your MCP servers through PolicyLayer and every tool call is checked against policy before it runs.

GOVERN YOUR MCP SERVERS →

Enforced before the call runs. Nothing to install.

HOW POLICYLAYER USES THIS

PolicyLayer's hosted gateway speaks Streamable HTTP: AI clients connect to a PolicyLayer endpoint, and the gateway forwards traffic to registered upstream servers after evaluating each tools/call against policy. Because the transport is plain HTTP with a single endpoint, a gateway can sit in the path without either side changing protocol behaviour.

Browse the MCP server catalogue →

FREQUENTLY ASKED QUESTIONS

Does Streamable HTTP require Server-Sent Events?
No. SSE is optional. A server may answer every request with a single application/json response; clients must support both the JSON and SSE response forms.
What replaced the old HTTP+SSE transport?
Streamable HTTP, introduced in spec revision 2025-03-26. It collapses the old two-endpoint design into one MCP endpoint and adds session management and stream resumability.
Is the MCP-Session-Id header mandatory?
Only if the server assigns one. If the server returns MCP-Session-Id during initialisation, the client must include it on all subsequent requests; servers that require it should answer requests without it with HTTP 400.

FURTHER READING

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

GOVERN YOUR MCP SERVERS →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.